CN110958267A - Method and system for monitoring threat behaviors in virtual network - Google Patents

Method and system for monitoring threat behaviors in virtual network Download PDF

Info

Publication number
CN110958267A
CN110958267A CN201911303459.8A CN201911303459A CN110958267A CN 110958267 A CN110958267 A CN 110958267A CN 201911303459 A CN201911303459 A CN 201911303459A CN 110958267 A CN110958267 A CN 110958267A
Authority
CN
China
Prior art keywords
behavior
tenant
request
actual
calling
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911303459.8A
Other languages
Chinese (zh)
Other versions
CN110958267B (en
Inventor
林莉
杨焕增
储振兴
檀文婷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Technology
Original Assignee
Beijing University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Technology filed Critical Beijing University of Technology
Priority to CN201911303459.8A priority Critical patent/CN110958267B/en
Publication of CN110958267A publication Critical patent/CN110958267A/en
Application granted granted Critical
Publication of CN110958267B publication Critical patent/CN110958267B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the invention provides a method and a system for monitoring internal threat behaviors of a virtual network. The method comprises the following steps: acquiring a normal behavior request of a tenant, and constructing a trusted level calling model based on the normal behavior request; acquiring an actual behavior request of a tenant, and if the fact that the tenant performs virtual network management configuration operation is monitored, generating an actual calling flow model through a behavior tracing mode based on acquired actual behavior request information; and matching the actual calling flow model with the credible level calling model to obtain a behavior matching result, judging whether the actual behavior request is a malicious attack behavior according to the matching result, and feeding back the matching result to the tenant. According to the embodiment of the invention, by adopting a behavior tracing and monitoring method aiming at internal security threats and combining behavior matching, on the basis of a credible level association model, actual behaviors are compared with a credible behavior model, feedback is realized, internal security risk monitoring is realized, and the security of a virtual network in a cloud environment is ensured.

Description

Method and system for monitoring threat behaviors in virtual network
Technical Field
The invention relates to the technical field of cloud computing security, in particular to a method and a system for monitoring threat behaviors in a virtual network.
Background
Cloud computing has become one of the research hotspots in the current information field, and by introducing a virtual layer between system software and hardware, the dynamic property, the distributivity and the heterogeneity of a hardware platform are shielded, the effective aggregation and the multiplexing of bottom-layer IT resources are realized, and dynamic and extensible large-scale computing and storage services are provided for remote computer users in a simple and transparent manner.
However, since the available resources of the user are all placed in the cloud service provider, the management authority of the user to the virtual machine used by the user, including storage, computation and network, is limited, in such a scenario, malicious insiders in the cloud service provider maliciously change the resources through the authority to destroy the virtual network resources of the user, which directly causes a lot of adverse security risks that the user cannot normally use the cloud service and user data is maliciously changed or monitored. Therefore, the security problem of the virtual network in the cloud environment is one of the keys of providing services for the user if the cloud computing can be continuously and safely provided. Although the existing virtual network protection methods can solve the problem of virtual network security to a certain extent, most of the existing virtual network protection methods mainly focus on security prevention of a virtual network transmission data network, and cannot prevent management configuration operation of malicious internal management personnel.
Disclosure of Invention
The embodiment of the invention provides a method and a system for monitoring internal threat behaviors of a virtual network, which are used for solving the problem that the malicious internal threats existing in a cloud service environment cannot be accurately identified in the prior art, so that the virtual network resources are damaged.
In a first aspect, an embodiment of the present invention provides a method for monitoring a threat behavior inside a virtual network, including:
acquiring a normal behavior request of a tenant, and constructing a trusted level calling model based on the normal behavior request;
acquiring an actual behavior request of the tenant, and if the fact that the tenant performs virtual network management configuration operation is monitored, generating an actual calling flow model through a behavior tracing mode based on acquired actual behavior request information;
and matching the actual calling flow model with the credible level calling model to obtain a behavior matching result, judging whether the actual behavior request is a malicious attack behavior according to the matching result, and feeding back the matching result to the tenant.
Preferably, the obtaining of the normal behavior request of the tenant and the building of the trusted level invocation model based on the normal behavior request specifically include:
acquiring the normal behavior request through the unique ID of the log to obtain a log analysis result;
acquiring the normal behavior request in a source code analysis mode to obtain source code related keywords and functions;
and generating the credible level calling model based on the log analysis result and the source code related keywords and functions.
Preferably, the obtaining the normal behavior request through the log unique ID to obtain a log analysis result specifically includes:
the tenant performs normal management and configuration on a virtual network, and sends a preset request to a cloud service provider;
and after responding to the request of the tenant, the cloud service provider provides the log information generated by the unique ID of the tenant to a trusted third party, and the trusted third party generates the log analysis result according to the process calling condition of the unique ID in the log information in each node.
Preferably, the obtaining the normal behavior request by a source code analysis manner to obtain the source code related keywords and functions specifically includes:
the tenant performs normal management to configure a virtual network, sends a preset request to a cloud service provider, and sends parameter information transmitted by the tenant to a trusted third party;
and after responding to the request of the tenant, the cloud service provider sends the calling condition of each node under the cloud service platform and the parameter transmission content of each node to the trusted third party to obtain the source code related keywords and functions.
Preferably, the acquiring the actual behavior request of the tenant, and if it is monitored that the tenant performs virtual network management configuration operation, generating an actual call flow model in a behavior tracing manner based on the acquired actual behavior request information specifically includes:
the tenant sends the actual behavior request to a cloud service provider, a behavior acquisition point records the process calling condition and the parameter transmission content of each node, acquired information is stored, and whether the actual calling process model is generated or not is judged according to whether real-time behavior monitoring information exists or not;
if the behavior monitoring point monitors that the tenant performs virtual network management configuration operation in real time, the behavior acquisition point is notified to generate an actual operation calling process;
and the behavior acquisition point generates the actual calling flow model in a behavior tracing manner according to the acquisition information and the information characteristics of the acquisition point and the sequence of the virtual network service process, the virtual network management process and the control assembly from layer to layer upwards through the acquisition information.
Preferably, the matching the actual call flow model and the trusted level call model to obtain a behavior matching result, determining whether the actual behavior request is a malicious attack behavior according to the matching result, and feeding back the matching result to the tenant specifically includes:
finding a corresponding credible level calling model in a library consisting of the credible level calling models according to the actual calling process model;
comparing the collected calling behaviors with the credible level calling model, and matching layer by layer from the bottommost layer of the credible level calling model to obtain the behavior matching result; if the calling behavior can be completely matched, the tenant request corresponding to the calling behavior is considered as normal operation, otherwise, the tenant request corresponding to the calling behavior is considered as a malicious attack behavior;
and returning the matching result to the tenant.
In a second aspect, an embodiment of the present invention provides a system for monitoring a threat behavior inside a virtual network, including:
the acquisition construction module is used for acquiring a normal behavior request of a tenant and constructing a credible level calling model based on the normal behavior request;
the acquisition generation module is used for acquiring the actual behavior request of the tenant, and if the fact that the virtual network management configuration operation of the tenant is carried out is monitored, an actual calling flow model is generated in a behavior tracing mode based on the acquired actual behavior request information;
and the matching module is used for matching the actual calling flow model with the credible level calling model to obtain a behavior matching result, judging whether the actual behavior request is a malicious attack behavior according to the matching result, and feeding the matching result back to the tenant.
Preferably, the acquisition construction module comprises a first acquisition submodule, a second acquisition submodule and a construction submodule; wherein:
the first obtaining submodule is used for obtaining the normal behavior request through the unique log ID to obtain a log analysis result;
the second obtaining submodule is used for obtaining the normal behavior request in a source code analysis mode to obtain source code related keywords and functions;
and the construction submodule is used for generating the credible level calling model based on the log analysis result and the source code related keywords and functions.
In a third aspect, an embodiment of the present invention provides an electronic device, including:
the monitoring method comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the steps of any monitoring method for the internal threat behavior of the virtual network.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of any one of the methods for monitoring threat behaviors inside a virtual network.
According to the method and the system for monitoring the internal threat behaviors of the virtual network, provided by the embodiment of the invention, the behavior tracing and monitoring method aiming at the internal security threats is adopted and is combined with behavior matching, the actual behaviors and the credible behavior model are compared on the basis of a credible level association model, feedback is realized, the internal security risk monitoring is realized, and the security of the virtual network under the cloud environment is ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of a work flow of a virtual network internal threat oriented in a cloud environment according to an embodiment of the present invention;
fig. 2 is a schematic view of an interaction flow of the virtual network internal threat oriented in the cloud environment according to the embodiment of the present invention;
fig. 3 is a flowchart of a method for monitoring threat behavior inside a virtual network according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a deployment manner of a behavior tracing monitoring method for a virtual network internal threat in a cloud environment according to an embodiment of the present invention;
fig. 5 is a structural diagram of a monitoring system for internal threat behavior of a virtual network according to an embodiment of the present invention;
fig. 6 is a block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Aiming at the problem that malicious internal attack and tampering in a cloud service environment cannot be accurately identified to cause virtual network resource damage in the prior art, the embodiment of the invention provides a monitoring method for internal threat behaviors of a virtual network, which can be simply summarized into three parts, namely trusted level calling model construction, behavior tracing and monitoring aiming at internal security threats and behavior matching, and mainly aims at three stages, namely cloud user creation, virtual network configuration and virtual network management, wherein each stage can be realized through a virtualization management tool and related API and process calling. By adopting the construction method based on the credible hierarchical association model, a complete credible flow of the virtual network creation, management and configuration process of the user is constructed, a credible basis is provided for discovering the internal threat behavior, and the overall work flow diagram is shown in fig. 1.
In the existing cloud computing environment, the management configuration of the virtual network is mainly realized by process calling among all nodes, transmission of key word parameters and configuration management of a virtualization management tool, so that the internal threat discovery method of the virtual network supports threat discovery of malicious calling among all nodes and malicious management of the virtualization management tool, as shown in fig. 2, the method mainly realizes a trusted level calling model, behavior tracing and behavior matching through three modules. Through the combined application of the three modules, the internal threat of the virtual network under the cloud platform is prevented.
Fig. 3 is a flowchart of a method for monitoring threat behaviors in a virtual network according to an embodiment of the present invention, and as shown in fig. 3, the method includes:
s1, acquiring a normal behavior request of a tenant, and constructing a trusted level calling model based on the normal behavior request;
s2, collecting the actual behavior request of the tenant, and if the fact that the tenant performs virtual network management configuration operation is monitored, generating an actual calling flow model through a behavior tracing mode based on the collected actual behavior request information;
and S3, matching the actual calling flow model with the credible level calling model to obtain a behavior matching result, judging whether the actual behavior request is a malicious attack behavior according to the matching result, and feeding the matching result back to the tenant.
Specifically, the embodiment of the invention is implemented by being deployed on an Openstack open source cloud platform, a specific module code is compiled by using python, each module is deployed in each node of the Openstack, a real cloud service scene is simulated by using the Openstack, and a virtual network internal threat monitoring method based on trusted level calling and real-time monitoring in a cloud environment is implemented by configuring normal and abnormal management of a tenant virtual network under the Openstack, wherein the specific deployment is shown in fig. 4.
In step S1, acquiring a normal behavior request of the tenant and a non-malicious attack behavior, and constructing a trusted level calling model based on characteristics of the normal behavior request; it can be understood that a normal behavior library is constructed by combining a source code analysis mode and analysis on a normal behavior log of a user, and is deployed in a cloud environment in a module form to serve as a normal and credible behavior matching standard;
in step S2, the tenant request behavior in the actual use process is collected, and behavior tracing is performed, where behavior tracing is the entire life cycle of the tenant using the cloud service, the related nodes all perform information collection in real time, and behavior monitoring is a necessary condition for triggering the next behavior matching. Once the management configuration operation of the virtual network is monitored and found, generating an actual calling model by utilizing the acquired information in a behavior tracing manner to prepare for the next behavior matching; collecting points are deployed in main processes of key nodes of the Openstack cloud platform, such as neutron-server, plugin process, rpc (remote procedure call) call and the like under control nodes, agent processes in networks and computing nodes and the like. Deploying real-time monitoring points in management implementation processes such as virtual equipment, agents and the like, and monitoring changes of the virtual network, as shown in fig. 4;
in step S3, the actual call flow model and the trusted level call model obtained in the previous steps are matched to obtain a matching result, and whether the actual behavior request of the tenant is a malicious attack behavior is determined according to the matching result, and the matching result is fed back to the tenant.
According to the embodiment of the invention, by adopting a behavior tracing and monitoring method aiming at internal security threats and combining behavior matching, on the basis of a credible level association model, actual behaviors are compared with a credible behavior model, feedback is realized, internal security risk monitoring is realized, and the security of a virtual network in a cloud environment is ensured.
Based on the above embodiment, the obtaining of the normal behavior request of the tenant and the constructing of the trusted level calling model based on the normal behavior request specifically include:
acquiring the normal behavior request through the unique ID of the log to obtain a log analysis result;
acquiring the normal behavior request in a source code analysis mode to obtain source code related keywords and functions;
and generating the credible level calling model based on the log analysis result and the source code related keywords and functions.
The obtaining of the normal behavior request through the unique log ID to obtain a log analysis result specifically includes:
the tenant performs normal management and configuration on a virtual network, and sends a preset request to a cloud service provider;
and after responding to the request of the tenant, the cloud service provider provides the log information generated by the unique ID of the tenant to a trusted third party, and the trusted third party generates the log analysis result according to the process calling condition of the unique ID in the log information in each node.
The obtaining of the normal behavior request in a source code analysis manner to obtain source code related keywords and functions specifically includes:
the tenant performs normal management to configure a virtual network, sends a preset request to a cloud service provider, and sends parameter information transmitted by the tenant to a trusted third party;
and after responding to the request of the tenant, the cloud service provider sends the calling condition of each node under the cloud service platform and the parameter transmission content of each node to the trusted third party to obtain the source code related keywords and functions.
Specifically, firstly, a normal behavior request of a user is acquired through a log unique ID:
1) the tenant normally manages and configures a virtual network, and sends a related request to a cloud service provider;
2) and after the cloud service provider responds to the tenant request, providing the log information generated by the unique ID of the tenant to a trusted third party, wherein the trusted third party provides a basis for establishing a trusted level calling model according to the process calling condition of the unique ID in the log at each node.
Then, acquiring a normal behavior request of the tenant through a source code analysis mode:
1) or the tenant normally manages and configures the virtual network, sends the related request to the cloud service provider and sends the parameter information transmitted by the tenant to the trusted third party;
2) after the cloud service provider responds to the tenant request, the calling condition of each node under the cloud platform and the parameter transmission content of each node are sent to the trusted third party, and a basis is provided for the trusted third party to generate a trusted level calling model.
And generating a credible level calling model by integrating the information acquired in the two steps, wherein each normal behavior process called by the user in the cloud environment is described in a finite state machine mode, each state of the finite state machine represents the operation of each layer in the cloud environment, and the credible level calling model is generated by utilizing an algorithm through relevant keywords and functions in source codes of each layer and log analysis.
According to the embodiment of the invention, the normal behavior request of the user is obtained through the unique ID of the log and the source code analysis, and a standard credible level calling model is constructed on the basis of the normal behavior request, so that a reliable reference basis is provided for subsequent behavior matching.
Based on any of the embodiments, the acquiring an actual behavior request of the tenant, and if it is monitored that the tenant performs virtual network management configuration operation, generating an actual call flow model in a behavior tracing manner based on the acquired actual behavior request information specifically includes:
the tenant sends the actual behavior request to a cloud service provider, a behavior acquisition point records the process calling condition and the parameter transmission content of each node, acquired information is stored, and whether the actual calling process model is generated or not is judged according to whether real-time behavior monitoring information exists or not;
if the behavior monitoring point monitors that the tenant performs virtual network management configuration operation in real time, the behavior acquisition point is notified to generate an actual operation calling process;
and the behavior acquisition point generates the actual calling flow model in a behavior tracing manner according to the acquisition information and the information characteristics of the acquisition point and the sequence of the virtual network service process, the virtual network management process and the control assembly from layer to layer upwards through the acquisition information.
Specifically, firstly, acquiring an actual behavior request of a tenant:
1) the behavior of the virtual network is configured through normal management of the tenant, and the internal malicious management behavior can send a request to corresponding services of the cloud platform, the virtual network is configured through illegal management of normal or internal malicious managers of the user, and parameters and function calls are transmitted among all nodes;
2) before the cloud service provider responds to various management behaviors, each acquisition point records the process calling condition and the parameter transmission content of each node;
3) the behavior acquisition point stores the acquired information and judges whether to generate an actual calling model according to whether behavior monitoring information exists or not;
and then monitoring the actual behavior request of the tenant:
1) the behavior monitoring points are deployed on the virtual network equipment and the process nodes, when relevant virtual network operation exists, the behavior monitoring points inform the acquisition points to generate an actual operation calling process, and in the hierarchy calling process among all the nodes, the acquisition points collect calling information of all the hierarchies and use (time: func) into a log file;
2) after receiving the request of the behavior monitoring point, the behavior acquisition point generates an actual calling flow model according to the sequence of calling time through the information stored in the acquisition point;
further tracing the actual behavior request of the tenant:
after the behavior monitors the calling in real time, an actual calling model is generated by the behavior tracing mode through the information of each acquisition point, the virtual network service process, the virtual network management process and the control assembly layer by layer according to the information characteristics in the acquisition points, such as time (func). It can be understood that, when the real-time monitoring point monitors that a virtual network configuration behavior exists in a virtual network implementation process (such as a virtual device, agent), each acquisition point is notified, and the behavior of the current behavior is traced back.
According to the embodiment of the invention, the actual network request message is accurately recorded through the collection, monitoring and tracing of the actual behavior, the actual calling process model is completely constructed, the series of user behaviors of the tenant in the actual cloud service request process are highly restored, and a real basis is provided for the subsequent matching.
Based on any of the above embodiments, the matching the actual call flow model and the trusted level call model to obtain a behavior matching result, determining whether the actual behavior request is a malicious attack behavior according to the matching result, and feeding back the matching result to the tenant specifically includes:
finding a corresponding credible level calling model in a library consisting of the credible level calling models according to the actual calling process model;
comparing the collected calling behaviors with the credible level calling model, and matching layer by layer from the bottommost layer of the credible level calling model to obtain the behavior matching result; if the calling behavior can be completely matched, the tenant request corresponding to the calling behavior is considered as normal operation, otherwise, the tenant request corresponding to the calling behavior is considered as a malicious attack behavior;
and returning the matching result to the tenant.
Specifically, after the trusted level calling model and the actual calling process model are obtained, the actual calling model is compared with the model in the normal behavior library:
1) the behavior matching module finds a corresponding normal and credible model in the feasible level correlation model library according to the actual calling model;
2) the collected calling behaviors are compared with the credible hierarchy calling model, the matching mode is from the bottommost layer to the top layer, if complete matching is achieved, normal request operation initiated by a user during current request is considered, and if complete matching is not achieved, unauthorized request initiated from a certain behavior breakpoint is considered, so that whether malicious attack behaviors exist or not is judged.
According to the embodiment of the invention, the malicious attack behaviors are accurately and conveniently identified through the comparison between the standard-based behavior reference model and the actual behavior model, and the comparison is carried out layer by layer upwards from the bottommost layer of the model, so that the comparison process is ensured to be omitted.
Fig. 5 is a structural diagram of a monitoring system for internal threat behaviors of a virtual network according to an embodiment of the present invention, as shown in fig. 5, including an acquisition and construction module 51, an acquisition and generation module 52, and a matching module 53; wherein:
the obtaining and constructing module 51 is configured to obtain a normal behavior request of a tenant, and construct a trusted level calling model based on the normal behavior request; the acquisition generating module 52 is configured to acquire an actual behavior request of the tenant, and if it is monitored that the tenant performs virtual network management configuration operation, generate an actual call flow model in a behavior tracing manner based on acquired actual behavior request information; the matching module 53 is configured to match the actual call flow model with the trusted level call model to obtain a behavior matching result, determine whether the actual behavior request is a malicious attack behavior according to the matching result, and feed back the matching result to the tenant.
The system provided by the embodiment of the present invention is used for executing the corresponding method, the specific implementation manner of the system is consistent with the implementation manner of the method, and the related algorithm flow is the same as the algorithm flow of the corresponding method, which is not described herein again.
According to the embodiment of the invention, by adopting a behavior tracing and monitoring method aiming at internal security threats and combining behavior matching, on the basis of a credible level association model, actual behaviors are compared with a credible behavior model, feedback is realized, internal security risk monitoring is realized, and the security of a virtual network in a cloud environment is ensured.
Based on any of the above embodiments, the obtaining construction module 51 includes a first obtaining sub-module 511, a second obtaining sub-module 512, and a construction sub-module 513; wherein:
the first obtaining sub-module 511 is configured to obtain the normal behavior request through the log unique ID to obtain a log analysis result; the second obtaining sub-module 512 is configured to obtain the normal behavior request in a source code analysis manner, so as to obtain source code related keywords and functions; the construction submodule 513 is configured to generate the trusted level calling model based on the log analysis result and the source code related keywords and functions.
The first obtaining sub-module 511 is specifically configured to perform normal management and configuration on a virtual network by the tenant, and send a preset request to a cloud service provider; and after responding to the request of the tenant, the cloud service provider provides the log information generated by the unique ID of the tenant to a trusted third party, and the trusted third party generates the log analysis result according to the process calling condition of the unique ID in the log information in each node.
The second obtaining sub-module 512 is specifically configured to perform normal management and configuration on a virtual network by the tenant, send a preset request to a cloud service provider, and send parameter information delivered by the tenant to a trusted third party; and after responding to the request of the tenant, the cloud service provider sends the calling condition of each node under the cloud service platform and the parameter transmission content of each node to the trusted third party to obtain the source code related keywords and functions.
According to the embodiment of the invention, the normal behavior request of the user is obtained through the unique ID of the log and the source code analysis, and a standard credible level calling model is constructed on the basis of the normal behavior request, so that a reliable reference basis is provided for subsequent behavior matching.
Based on any of the above embodiments, the acquisition generating module 52 includes an acquisition submodule 521, a monitoring submodule 522 and a tracing submodule 523; wherein:
the acquisition submodule 521 is used for the tenant to send the actual behavior request to a cloud service provider, a behavior acquisition point records the process calling condition and the parameter transmission content of each node, stores acquisition information, and judges whether to generate the actual calling flow model according to whether real-time behavior monitoring information exists or not; the monitoring submodule 522 is configured to notify a behavior collection point to generate an actual operation call process if a behavior monitoring point monitors that the tenant performs virtual network management configuration operation in real time; the tracing sub-module 523 is configured to generate the actual call flow model in a behavior tracing manner according to the behavior collection point information and the sequence of the virtual network service process, the virtual network management process, and the control module from layer to layer upward according to the collection point information characteristics.
According to the embodiment of the invention, the actual network request message is accurately recorded through the collection, monitoring and tracing of the actual behavior, the actual calling process model is completely constructed, the series of user behaviors of the tenant in the actual cloud service request process are highly restored, and a real basis is provided for the subsequent matching.
Based on any of the above embodiments, the matching module 53 includes a search sub-module 531, a determination sub-module 532, and a return sub-module 533; wherein:
the search submodule 531 is configured to find a corresponding trusted level calling model in a library formed by the trusted level calling models according to the actual calling process model; the judgment submodule 532 is configured to compare the collected call behavior with the trusted level call model, and perform matching layer by layer from the lowest layer of the trusted level call model to the top layer to obtain the behavior matching result; if the calling behavior can be completely matched, the tenant request corresponding to the calling behavior is considered as normal operation, otherwise, the tenant request corresponding to the calling behavior is considered as a malicious attack behavior; the return submodule 533 is configured to return the matching result to the tenant.
According to the embodiment of the invention, the malicious attack behaviors are accurately and conveniently identified through the comparison between the standard-based behavior reference model and the actual behavior model, and the comparison is carried out layer by layer upwards from the bottommost layer of the model, so that the comparison process is ensured to be omitted.
Fig. 6 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 6: a processor (processor)610, a communication Interface (Communications Interface)620, a memory (memory)630 and a communication bus 640, wherein the processor 610, the communication Interface 620 and the memory 630 communicate with each other via the communication bus 640. The processor 610 may call logic instructions in the memory 630 to perform the following method: acquiring a normal behavior request of a tenant, and constructing a trusted level calling model based on the normal behavior request; acquiring an actual behavior request of the tenant, and if the fact that the tenant performs virtual network management configuration operation is monitored, generating an actual calling flow model through a behavior tracing mode based on acquired actual behavior request information; and matching the actual calling flow model with the credible level calling model to obtain a behavior matching result, judging whether the actual behavior request is a malicious attack behavior according to the matching result, and feeding back the matching result to the tenant.
In addition, the logic instructions in the memory 630 may be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented to perform the transmission method provided in the foregoing embodiments when executed by a processor, and for example, the method includes: acquiring a normal behavior request of a tenant, and constructing a trusted level calling model based on the normal behavior request; acquiring an actual behavior request of the tenant, and if the fact that the tenant performs virtual network management configuration operation is monitored, generating an actual calling flow model through a behavior tracing mode based on acquired actual behavior request information; and matching the actual calling flow model with the credible level calling model to obtain a behavior matching result, judging whether the actual behavior request is a malicious attack behavior according to the matching result, and feeding back the matching result to the tenant.
According to the embodiment of the invention, by adopting a behavior tracing and monitoring method aiming at internal security threats and combining behavior matching, on the basis of a credible level association model, actual behaviors are compared with a credible behavior model, feedback is realized, internal security risk monitoring is realized, and the security of a virtual network in a cloud environment is ensured.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A monitoring method for threat behaviors inside a virtual network is characterized by comprising the following steps:
acquiring a normal behavior request of a tenant, and constructing a trusted level calling model based on the normal behavior request;
acquiring an actual behavior request of the tenant, and if the fact that the tenant performs virtual network management configuration operation is monitored, generating an actual calling flow model through a behavior tracing mode based on acquired actual behavior request information;
and matching the actual calling flow model with the credible level calling model to obtain a behavior matching result, judging whether the actual behavior request is a malicious attack behavior according to the matching result, and feeding back the matching result to the tenant.
2. The method for monitoring threat behaviors inside a virtual network according to claim 1, wherein the obtaining of a normal behavior request of a tenant and the building of a trusted level invocation model based on the normal behavior request specifically include:
acquiring the normal behavior request through the unique ID of the log to obtain a log analysis result;
acquiring the normal behavior request in a source code analysis mode to obtain source code related keywords and functions;
and generating the credible level calling model based on the log analysis result and the source code related keywords and functions.
3. The method for monitoring the threat behavior inside the virtual network according to claim 2, wherein the obtaining of the normal behavior request through the log unique ID to obtain a log analysis result specifically comprises:
the tenant performs normal management and configuration on a virtual network, and sends a preset request to a cloud service provider;
and after responding to the request of the tenant, the cloud service provider provides the log information generated by the unique ID of the tenant to a trusted third party, and the trusted third party generates the log analysis result according to the process calling condition of the unique ID in the log information in each node.
4. The method for monitoring the threat behavior inside the virtual network according to claim 2, wherein the obtaining of the normal behavior request by a source code analysis mode to obtain source code related keywords and functions specifically comprises:
the tenant performs normal management to configure a virtual network, sends a preset request to a cloud service provider, and sends parameter information transmitted by the tenant to a trusted third party;
and after responding to the request of the tenant, the cloud service provider sends the calling condition of each node under the cloud service platform and the parameter transmission content of each node to the trusted third party to obtain the source code related keywords and functions.
5. The method according to claim 1, wherein the method for monitoring the internal threat behavior of the virtual network is characterized in that the method for acquiring the actual behavior request of the tenant, and if it is monitored that the tenant performs virtual network management configuration operation, an actual call flow model is generated in a behavior tracing manner based on the acquired actual behavior request information, and specifically includes:
the tenant sends the actual behavior request to a cloud service provider, a behavior acquisition point records the process calling condition and the parameter transmission content of each node, acquired information is stored, and whether the actual calling process model is generated or not is judged according to whether real-time behavior monitoring information exists or not;
if the behavior monitoring point monitors that the tenant performs virtual network management configuration operation in real time, the behavior acquisition point is notified to generate an actual operation calling process;
and the behavior acquisition point generates the actual calling flow model in a behavior tracing manner according to the acquisition information and the information characteristics of the acquisition point and the sequence of the virtual network service process, the virtual network management process and the control assembly from layer to layer upwards through the acquisition information.
6. The method according to claim 1, wherein the matching the actual call flow model with the trusted level call model to obtain a behavior matching result, determining whether the actual behavior request is a malicious attack behavior according to the matching result, and feeding back the matching result to the tenant specifically includes:
finding a corresponding credible level calling model in a library consisting of the credible level calling models according to the actual calling process model;
comparing the collected calling behaviors with the credible level calling model, and matching layer by layer from the bottommost layer of the credible level calling model to obtain the behavior matching result; if the calling behavior can be completely matched, the tenant request corresponding to the calling behavior is considered as normal operation, otherwise, the tenant request corresponding to the calling behavior is considered as a malicious attack behavior;
and returning the matching result to the tenant.
7. A system for monitoring threat behavior within a virtual network, comprising:
the acquisition construction module is used for acquiring a normal behavior request of a tenant and constructing a credible level calling model based on the normal behavior request;
the acquisition generation module is used for acquiring the actual behavior request of the tenant, and if the fact that the virtual network management configuration operation of the tenant is carried out is monitored, an actual calling flow model is generated in a behavior tracing mode based on the acquired actual behavior request information;
and the matching module is used for matching the actual calling flow model with the credible level calling model to obtain a behavior matching result, judging whether the actual behavior request is a malicious attack behavior according to the matching result, and feeding the matching result back to the tenant.
8. The system for monitoring threat behaviors inside a virtual network according to claim 7, wherein the acquisition and construction module comprises a first acquisition submodule, a second acquisition submodule and a construction submodule; wherein:
the first obtaining submodule is used for obtaining the normal behavior request through the unique log ID to obtain a log analysis result;
the second obtaining submodule is used for obtaining the normal behavior request in a source code analysis mode to obtain source code related keywords and functions;
and the construction submodule is used for generating the credible level calling model based on the log analysis result and the source code related keywords and functions.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the method for monitoring threat behavior within a virtual network as claimed in any one of claims 1 to 6 when executing the program.
10. A non-transitory computer readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method for monitoring threat behavior inside a virtual network according to any one of claims 1 to 6.
CN201911303459.8A 2019-12-17 2019-12-17 Method and system for monitoring threat behaviors in virtual network Active CN110958267B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911303459.8A CN110958267B (en) 2019-12-17 2019-12-17 Method and system for monitoring threat behaviors in virtual network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911303459.8A CN110958267B (en) 2019-12-17 2019-12-17 Method and system for monitoring threat behaviors in virtual network

Publications (2)

Publication Number Publication Date
CN110958267A true CN110958267A (en) 2020-04-03
CN110958267B CN110958267B (en) 2022-01-04

Family

ID=69982208

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911303459.8A Active CN110958267B (en) 2019-12-17 2019-12-17 Method and system for monitoring threat behaviors in virtual network

Country Status (1)

Country Link
CN (1) CN110958267B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114567678A (en) * 2022-02-28 2022-05-31 天翼安全科技有限公司 Resource calling method and device of cloud security service and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140122724A1 (en) * 2012-10-29 2014-05-01 Ericsson Ab Method and system to allocate bandwidth in cloud computing networks
CN106506274A (en) * 2016-11-08 2017-03-15 东北大学秦皇岛分校 A kind of efficient single bag source tracing method of dynamic extending
CN106992994A (en) * 2017-05-24 2017-07-28 腾讯科技(深圳)有限公司 A kind of automatically-monitored method and system of cloud service
CN107391353A (en) * 2017-07-07 2017-11-24 西安电子科技大学 Complicated software system anomaly detection method based on daily record
CN108718307A (en) * 2018-05-10 2018-10-30 北京工业大学 A kind of behavior retrospect detection method internally threatened below IaaS cloud environment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140122724A1 (en) * 2012-10-29 2014-05-01 Ericsson Ab Method and system to allocate bandwidth in cloud computing networks
CN106506274A (en) * 2016-11-08 2017-03-15 东北大学秦皇岛分校 A kind of efficient single bag source tracing method of dynamic extending
CN106992994A (en) * 2017-05-24 2017-07-28 腾讯科技(深圳)有限公司 A kind of automatically-monitored method and system of cloud service
CN107391353A (en) * 2017-07-07 2017-11-24 西安电子科技大学 Complicated software system anomaly detection method based on daily record
CN108718307A (en) * 2018-05-10 2018-10-30 北京工业大学 A kind of behavior retrospect detection method internally threatened below IaaS cloud environment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王国峰,刘川意,潘鹤中,方滨兴: "云计算模式内部威胁综述", 《计算机学报》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114567678A (en) * 2022-02-28 2022-05-31 天翼安全科技有限公司 Resource calling method and device of cloud security service and electronic equipment

Also Published As

Publication number Publication date
CN110958267B (en) 2022-01-04

Similar Documents

Publication Publication Date Title
CN107196895B (en) Network attack tracing implementation method and device
CN111756702B (en) Data security protection method, device, equipment and storage medium
CN112787992A (en) Method, device, equipment and medium for detecting and protecting sensitive data
CN114372286A (en) Data security management method and device, computer equipment and storage medium
CN112534432A (en) Real-time mitigation of unfamiliar threat scenarios
CN109347806A (en) A kind of the digging mine malware detection system and method for Intrusion Detection based on host monitoring technology
CN108769071A (en) attack information processing method, device and internet of things honey pot system
US20240007487A1 (en) Asset Remediation Trend Map Generation and Utilization for Threat Mitigation
US20160110544A1 (en) Disabling and initiating nodes based on security issue
US11762991B2 (en) Attack kill chain generation and utilization for threat analysis
CN107315952A (en) Method and apparatus for determining application program suspicious actions
CN113614718A (en) Abnormal user session detector
JP2023550974A (en) Image-based malicious code detection method and device and artificial intelligence-based endpoint threat detection and response system using the same
CN110958267B (en) Method and system for monitoring threat behaviors in virtual network
CN110099041A (en) A kind of Internet of Things means of defence and equipment, system
CN111585813B (en) Management method and system of network nodes in Internet of things environment
Repetto Adaptive monitoring, detection, and response for agile digital service chains
CN113098852A (en) Log processing method and device
CN115296936B (en) Automatic method and system for assisting detection of anti-network crime
CN110378120A (en) Application programming interfaces attack detection method, device and readable storage medium storing program for executing
CN114567678B (en) Resource calling method and device for cloud security service and electronic equipment
CN114205169B (en) Network security defense method, device and system
KR20130033161A (en) Intrusion detection system for cloud computing service
CN109218315A (en) A kind of method for managing security and security control apparatus
CN114386047A (en) Application vulnerability detection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant